4

I have heard it anecdotically that non-bijective sboxes are potentially weaker to be used in designs like feistel networks. (since by design, it is allowed for the sbox to be non-reversible)

Is that a fact?

The first thought I had on this was that it may related to the fact that the probabilities of S are not uniformly distributed and so, if you choose the most favorable outcomes you may have an edge over the bijective counterpart in e.g. bruteforcing.

But again I new to the field, so any insights on the matter would be greatly appreciated.

Anton Paragas
  • 411
  • 2
  • 8

1 Answers1

5

No.

It is one of the main features of a Feistel network that both decryption and encryption just need to evaluate the S-box in the same direction. It could potentially be a weakness if you used invertible functions in the S-boxes: First, you are limited to a much smaller set of functions to choose from. And then you might not be able to find a function which has the other important properties, which are actually needed for security, e.g. non-linearity, diffusion and confusion, a balanced output, etc.

tylo
  • 12,864
  • 26
  • 40